Fact Check

Facebook Ramnit Worm

Has the Ramnit worm been stealing Facebook credentials?

Published Jan 5, 2012

Claim:   The Ramnit worm has been stealing Facebook credentials.


Example:   [Collected via e-mail, January 2012]

Comment: Malware Worm Spreading on Facebook — 45,000 Passwords Stolen So Far

Seculert issued a warning today that the Ramnit worm, which has traditionally targeted financial login credentials, is now targeting Facebook users. At the time of the release, 45,000 login credentials had been stolen with most of those from users residing in the UK and France. Ramnit is known to attack windows executable files (files ending with exe), MS Office files and HTML documents. The worm’s goal is to steal sensitive data such as user names, passwords, FTP credentials and browser cookies.


Origins:   As PC Magazine reported on 5 January 2012:

A computer worm that has traditionally targeted the financial industry has set its sights on social networking, recently stealing over 45,000 Facebook login credentials, according to security firm Seculert.

In a statement, Facebook said the majority of the login credentials were outdated, but it was still notifying the affected users.

The worm, known as Ramnit, dates back to April 2010, and is described as a multi-component malware family that infects Windows executable and HTML files, stealing sensitive info like stored FTP credentials and browser cookies, Seculert said.

A July 2011 report from Symantec said Ramnit was responsible for 17.3 percent of all new malicious software infections.

That same day, Seculert stated of Ramnit that:

Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook C&C URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users in the United Kingdom and France.

We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.

With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.

Last updated:   5 January 2012

David Mikkelson founded the site now known as snopes.com back in 1994.

Read More

a Member

Your membership is the foundation of our sustainability and resilience.


Ad-Free Browsing on Snopes.com
Members-Only Newsletter
Cancel Anytime